WordPress Vulnerability Report

This week, 70 total vulnerabilities emerged in public disclosure. They may affect over one million WordPress sites. There are 36 plugin vulnerabilities that have security patches available, so run those updates!

Additionally, there are 33 plugin vulnerabilities and one theme vulnerability with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Formidable Forms

Plugin: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
Plugin Slug: formidable
Installations: 300,000+
Vulnerability: Auth. Remote Code Execution (RCE)
Patched in Version: 6.3.1
Severity Score: Critical
CVE: 2023-2877

Chaty

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
Plugin Slug: chaty
Installations: 200,000+
Vulnerability: Authenticated Stored Cross Site Scripting (XSS)
Patched in Version: 3.1.2
Severity Score: Medium
CVE: 2023-3245

Ultimate Member

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug: ultimate-member
Installations: 200,000+
Vulnerability: Unauthenticated Privilege Escalation
Patched in Version: 2.6.7
Severity Score: Critical
CVE: 2023-3460

EmbedPress

Plugin: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Plugin Slug: embedpress
Installations: 80,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 3.8.0
Severity Score: Medium
CVE: 2023-3371

Login/Signup Popup

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )
Plugin Slug: easy-login-woocommerce
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4
Severity Score: Medium

Social Login and Register

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Plugin Slug: miniorange-login-openid
Installations: 30,000+
Vulnerability: Authentication Broken Authentication
Patched in Version: 7.6.5
Severity Score: Critical
CVE: 2023-2982

Subscribe2

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters
Plugin Slug: subscribe2
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 10.41
Severity Score: Medium
CVE: 2023-1844

Subscribe2

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters
Plugin Slug: subscribe2
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 10.41
Severity Score: Medium
CVE: 2023-3407

Contact Form & Lead Form Elementor Builder

Plugin: Responsive Contact Form Builder & Lead Generation Plugin
Plugin Slug: lead-form-builder
Installations: 20,000+
Vulnerability: Broken Access Control
Patched in Version: 1.8.5
Severity Score: Medium
CVE: 2023-25969

Supsystic Popup

Plugin: Popup by Supsystic
Plugin Slug: popup-by-supsystic
Installations: 20,000+
Vulnerability: Prototype Pollution
Patched in Version: 1.10.19
Severity Score: High
CVE: 2023-3186

WPGraphQL

Plugin: WPGraphQL
Plugin Slug: wp-graphql
Installations: 20,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 1.14.6
Severity Score: Medium
CVE: 2023-23684

WP ERP

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Plugin Slug: erp
Installations: 9,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.12.4
Severity Score: High
CVE: 2023-2743

Active Directory Integration / LDAP Integration

Plugin: Active Directory Integration / LDAP Integration
Plugin Slug: ldap-login-for-intranet-sites
Installations: 5,000+
Vulnerability: Unauthenticated LDAP Injection
Patched in Version: 4.1.6
Severity Score: High
CVE: 2023-3447

MStore API

Plugin: MStore API
Plugin Slug: mstore-api
Installations: 5,000+
Vulnerability: Unauth. SQL Injection
Patched in Version: 4.0.2
Severity Score: Critical
CVE: 2023-3197

Poll Maker

Plugin: Poll Maker – Best WordPress Poll Plugin
Plugin Slug: poll-maker
Installations: 5,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 4.6.3
Severity Score: Medium
CVE: 2023-34013

Th Product Compare

Plugin: Product Compare for WooCommerce
Plugin Slug: th-product-compare
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.6
Severity Score: Medium
CVE: 2023-25969

Waitlist WooCommerce ( Back in stock notifier )

Plugin: Waitlist Woocommerce ( Back in stock notifier )
Plugin Slug: waitlist-woocommerce
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.5.3
Severity Score: Medium

Short URL

Plugin: Short URL
Plugin Slug: shorten-url
Installations: 2,000+
Vulnerability: Authenticated Stored Cross Site Scripting (XSS)
Patched in Version: 1.6.5
Severity Score: Medium
CVE: 2023-1602

Short URL

Plugin: Short URL
Plugin Slug: shorten-url
Installations: 2,000+
Vulnerability: SQL Injection
Patched in Version: 1.6.5
Severity Score: High
CVE: 2022-46860

WP Inventory Manager

Plugin: WP Inventory Manager
Plugin Slug: wp-inventory-manager
Installations: 2,000+
Vulnerability: Inventory Items Deletion via Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.0.14
Severity Score: Medium
CVE: 2023-2842

Kanban Boards for WordPress

Plugin: Kanban Boards for WordPress
Plugin Slug: kanban
Installations: 1,000+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 2.5.21
Severity Score: Medium
CVE: 2023-0873

Request a Quote

Plugin: Request a Quote
Plugin Slug: request-a-quote
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.11
Severity Score: Medium

LiquidPoll

Plugin: LiquidPoll – Advanced Polls for Creators and Brands
Plugin Slug: wp-poll
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 3.3.69
Severity Score: Medium
CVE: 2023-36531

Front User Submit / Front Editor

Plugin: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
Plugin Slug: front-editor
Installations: 200+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 3.8.5
Severity Score: Medium

TrustProfile

Plugin: TrustProfile and reviews for WordPress
Plugin Slug: trustprofile
Installations: 200+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.25
Severity Score: Medium

Knowledge Center

Plugin: Easy Accordion FAQ and Knowledge Base Software for WordPress
Plugin Slug: knowledge-center
Installations: 20+
Vulnerability: Authenticated Cross Site Scripting (XSS)
Patched in Version: 2.8
Severity Score: Medium

Catalyst Connect Zoho CRM Client Portal

Plugin: Catalyst Connect Zoho CRM Client Portal
Plugin Slug: catalyst-connect-client-portal
Installations: 10+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: Medium
CVE: 2022-44629

ARMember

Plugin: ARMember
Plugin Slug: armember-membership
Vulnerability: Stored Cross Site Scripting (XSS) on Common Messages Settings
Patched in Version: 4.0.5
Severity Score: Medium
CVE: 2022-47421

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.7.6
Severity Score: Medium
CVE: 2023-36513

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Broken Access Control
Patched in Version: 5.7.6
Severity Score: Medium
CVE: 2023-36512

Houzez CRM

Plugin: Houzez CRM
Plugin Slug: houzez-crm
Vulnerability: SQL Injection
Patched in Version: 1.3.5
Severity Score: Critical
CVE: 2023-36529

Salon Booking System

Plugin: Salon booking system
Plugin Slug: salon-booking-system
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 8.4.8
Severity Score: Medium
CVE: 2023-3427

LearnDash LMS

Plugin: LearnDash LMS
Plugin Slug: sfwd-lms
Vulnerability: Authenticated IDOR to Account Takeover
Patched in Version: 4.6.0.1
Severity Score: High
CVE: 2023-3105

WooCommerce Order Barcodes

Plugin: WooCommerce Order Barcodes
Plugin Slug: woocommerce-order-barcodes
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.5
Severity Score: Medium
CVE: 2023-36511

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8.6
Severity Score: Medium
CVE: 2023-36514

WP Post Author

Plugin: WP Post Author
Plugin Slug: wp-post-author
Vulnerability: Privilege Escalation
Patched in Version: 3.3.0
Severity Score: Critical

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Side Cart Woocommerce

Plugin: Side Cart Woocommerce (Ajax)
Plugin Slug: side-cart-woocommerce
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28415

Enhanced Text Widget

Plugin: Enhanced Text Widget
Plugin Slug: enhanced-text-widget
Installations: 50,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23823

Duplicate Post Page Menu & Custom Post Type

Plugin: Duplicate Post Page Menu & Custom Post Type
Plugin Slug: duplicate-post-page-menu-custom-post-type
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36526

Zippy

Plugin: Zippy
Plugin Slug: zippy
Installations: 10,000+
Vulnerability: PHP Object Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36381

Form Builder

Plugin: Form Builder | Create Responsive Contact Forms
Plugin Slug: contact-form-add
Installations: 6,000+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23796

Enable SVG, WebP & ICO Upload

Plugin: Enable SVG, WebP & ICO Upload
Plugin Slug: enable-svg-webp-ico-upload
Installations: 6,000+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2143

SW Product Bundles

Plugin: SW Product Bundles
Plugin Slug: sw-product-bundles
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36519

ApplyOnline – Application Form Builder and Manager

Plugin: ApplyOnline – Application Form Builder and Manager
Plugin Slug: apply-online
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24391

Email download link

Plugin: Email download link
Plugin Slug: email-download-link
Installations: 5,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36523

Post Hit Counter

Plugin: Post Hit Counter
Plugin Slug: post-hit-counter
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36518

Layer Slider

Plugin: Layer Slider
Plugin Slug: slider-slideshow
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23798

WooCommerce Google Sheet Connector

Plugin: WooCommerce Google Sheet Connector
Plugin Slug: wc-gsheetconnector
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2329

WCP OpenWeather

Plugin: WCP OpenWeather
Plugin Slug: wcp-openweather
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-25471

WP Abstracts

Plugin: WP Abstracts
Plugin Slug: wp-abstracts-manuscripts-manager
Installations: 400+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36517

WP Abstracts

Plugin: WP Abstracts
Plugin Slug: wp-abstracts-manuscripts-manager
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28692

Post to CSV by BestWebSoft

Plugin: Post to CSV by BestWebSoft
Plugin Slug: post-to-csv
Installations: 300+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36527

Caldera Forms Google Sheets Connector

Plugin: Caldera Forms Google Sheets Connector
Plugin Slug: gsheetconnector-caldera-forms
Installations: 200+
Vulnerability: Access Code Update via Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2330

Autochat

Plugin: Autochat Automatic Conversation
Plugin Slug: auyautochat-for-wp
Installations: 70+
Vulnerability: Unauth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3041

Quiz Expert

Plugin: Quiz Expert – Easy Quiz Maker, Exam and Test Manager
Plugin Slug: quiz-expert
Installations: 50+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36522

AN_GradeBook

Plugin: AN_GradeBook
Plugin Slug: an-gradebook
Vulnerability: Authenticated SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2636

Booked

Plugin: Booked
Plugin Slug: booked
Vulnerability: Unauth. Appointment Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-36399

Editorial Calendar

Plugin: Editorial Calendar
Plugin Slug: editorial-calendar
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-4115

Editorial Calendar

Plugin: Editorial Calendar
Plugin Slug: editorial-calendar
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36520

File Manager Advanced Shortcode

Plugin: File Manager Advanced Shortcode
Plugin Slug: file-manager-advanced-shortcode
Vulnerability: Unauth. Remote Code Execution (RCE)
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-2068

Image Map Pro Lite

Plugin: Image Map Pro
Plugin Slug: image-map-pro-lite
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3411

Image Map Pro

Plugin: Image Map Pro
Plugin Slug: image-map-pro-lite
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3412

Noo Timetable

Plugin: NOO Timetable
Plugin Slug: noo-timetable
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-45828

Noo Timetable

Plugin: NOO Timetable
Plugin Slug: noo-timetable
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-45821

SP Project & Document Manager

Plugin: SP Project & Document Manager
Plugin Slug: sp-client-document-manager
Vulnerability: Auth. Insecure Direct Object References (IDOR)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3063

SP Project & Document Manager

Plugin: SP Project & Document Manager
Plugin Slug: sp-client-document-manager
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-36677

SP Project & Document Manager

Plugin: SP Project & Document Manager
Plugin Slug: sp-client-document-manager
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36530

Web3

Plugin: Web3 – Crypto wallet Login & NFT token gating
Plugin Slug: web3-authentication
Vulnerability: Authentication Bypass Vulnerability
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-3249

WPJobBoard

Plugin: WPJobBoard
Plugin Slug: wpjobboard
Vulnerability: Unauth. Blind SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-36525

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

The7 — Website and eCommerce Builder for WordPress

Theme: The7
Theme Slug: dt-the7
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32123

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – July 5, 2023

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report